bitcoin security: cryptographic risks › bitcoin › paycoin_catactrypt... · bitcoin security:...
Post on 25-Jun-2020
16 Views
Preview:
TRANSCRIPT
Bitcoin Security: Cryptographic Risks
Nicolas T. Courtois University College London, UK
with special thanks to Jean-Jacques Quisquater [UCL Belgium] who taught me cryptography when I was a student but could not make it today
Security of Bitcoin
2
Dr. Nicolas T. Courtois
1. cryptologist and codebreaker
2. payment and smart cards (e.g. bank cards, Oyster cards etc…)
Crypto Currencies
3 Nicolas T. Courtois 2009-2014
Crypto Currencies
4 Nicolas T. Courtois 2009-2014
UCL Bitcoin Seminarresearch seminar
=>In central London, runs EVERY WEEK!
public web page:
blog.bettercrypto.com / SEMINAR
or Google "UCL bitcoin seminar"
Crypto Currencies
5 Nicolas T. Courtois 2009-2014
Our Works on Bitcoin
-cf. also blog.bettercrypto.com-Nicolas Courtois, Marek Grajek, Rahul Naik: The Unreasonable Fundamental Incertitudes Behind Bitcoin
Mining, http://arxiv.org/abs/1310.7935
-Nicolas Courtois, Marek Grajek, Rahul Naik: Optimizing SHA256 in Bitcoin Mining, CSS 2014, Sringer.
-Nicolas Courtois, Lear Bahack: On Subversive Miner Strategies and Block Withholding Attack
in Bitcoin Digital Currency http://arxiv.org/abs/1402.1718
-Nicolas Courtois: On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534
-Nicolas T. Courtois, Pinar Emirdag and Daniel A. Nagy: Could Bitcoin Transactions Be 100x Faster? In proceedings of SECRYPT 2014, 28-30 August 2014, Vienna, Austria.
-Nicolas T. Courtois, Pinar Emirdag and Filippo Valsorda: Private Key Recovery Combination Attacks: On Extreme Fragility of Popular Bitcoin Key Management, Wallet and Cold Storage Solutions in Presence of Poor RNG Events, 16 Oct 2014, http://eprint.iacr.org/2014/848
-Poster: http://www.nicolascourtois.com/bitcoin/POSTER_100x_Secrypt2014_v1.0.pdf
Security of Bitcoin
6
My Whole Life:
Tried to improve the security baseline…
Security of Bitcoin
7
My Whole Life:
Tried to improve the security baseline…
Crying Wolf!
51%, Elliptic Curve, OpenSSL...
Security of Bitcoin
8
It did NOT help,
The Wolf was allowed to operate
Security of Bitcoin
9
We failed to protect our DATA
Security of Bitcoin
10
We fail to protect our MONEY
Crypto Currencies
11 Nicolas T. Courtois 2009-2014
Solution = Decentralized P2P
Crypto Currencies
12 Nicolas T. Courtois 2009-2014
Solution = BlockChain• Until recently, we’ve needed central bodies –
banks, stock markets, governments, police forces –to settle vital questions. – Who owns this money?
– Who controls this company?
– Who has the right to vote in this election?
• Now we have a small piece of pure, incorruptible mathematics enshrined in computer code that will allow people to solve the thorniest problems without reference to “the authorities”.
http://www.telegraph.co.uk/technology/news/10881213/The-coming-digital-anarchy.html
[11 June 2014]
Crypto Currencies
13 Nicolas T. Courtois 2009-2014
But Is Cryptography Incorruptible?NSA 2013 Budget, excerpts:
[…] actively engages the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs.
[…] Insert vulnerabilities into commercial encryption systems […]
[…] Influence policies, standards and specification for commercial public key technologies.[…]
Code Breakers
14
John Nash - 1955In 2012 the NSA declassified his hand-written letter:
He also says that:
[…] the game of cipher breaking by skilled teams, etc., should become a thing of the past.” […]
Groups and ECC
15
Elliptic Curve Crypto
“exponential security”
Crypto Currencies
16 Nicolas T. Courtois 2009-2014
ECC - Certicom Challenges [1997, revised 2009]
TOTAL = 725,000 USD
Cryptographic Security of ECDSA in Bitcoin
P vs. NP
• If you solve P vs. NP it: 1 M$.
• Nobel price, Abel price in mathematics: roughly 1M$
• Break bitcoin ECC: About 4 BILLION $.
Cryptographic Security of ECDSA in Bitcoin
How to Steal Bitcoins
New attacks [Courtois et al. October 2014]
Groups and ECC
19
ECDSA Attack – 2 Usersrandom a: must be kept secret!
random a
RNG
R=a.P
s= (H(m)+dr) / a
mod n
r
(r,s)
same a used twice => detected in public blockchain =>(s1a-H(m1))/d1 = r =(s2a-H(m2))/d2 mod n=> r(d1-d2)+a(s1-s2)=H(m2)-H(m1) mod n
each person can steal the other person’s bitcoins!
=>any of them CAN recompute k used
has already happened 100 times in Bitcoin
Groups and ECC
20
Attack – Same Userrandom a: must be kept secret!
random a
RNG
R=a.P
s= (H(m)+dr) / a
mod n
r
(r,s)
same a used twice by the same user (d1=d2). In this case we have: (s1a-H(m1)) = rd =(s2a-H(m2)) mod n=> a=(H(m1)- H(m2))/(s1-s2)mod n AND now d=(sa-H(m))/r mod n
anybody can steal the bitcoins!
has also happened many times in Bitcoin
Cryptographic Security of ECDSA in Bitcoin
Stopped in 2013?
Android bug was fixed…
Cryptographic Security of ECDSA in Bitcoin
Second Major Outbreak – May 2014
Cryptographic Security of ECDSA in Bitcoin
Recent Bad Randoms
From my own scan:
0f25a7cc9e76ef38c0feadcfa5550c173d845ce36e16bde09829a3af57097240.
Appears 8 times in block 322925
28 September 2014
Used by different users…
Cryptographic Security of ECDSA in Bitcoin
So What?
Previous attacks:
• Classical bad random attacks typically concern only very few bitcoin accounts, and only some very lucky holders of bitcoins can actually steal other people's bitcoins.
• Only a few hundred accounts in the whole history of bitcoin are affected.
Cryptographic Security of ECDSA in Bitcoin
The Really Scary Attacks
New attacks [Courtois et al. October 2014]
=> under certain conditons ALL bitcoins in cold storagecan be stolen
=>millions of accounts potentially affected.
Cryptographic Security of ECDSA in Bitcoin
cf.
eprint.iacr.org/2014/848/
New Paper:
Cryptographic Security of ECDSA in Bitcoin
Solutions:
Solution 1:Deterministic signatures = RFC6979 by Thomas Pornin
Solution 2:MultiSig:
For example 2 out of 3 signatures are required to spend bitcoins.
Cryptographic Security of ECDSA in Bitcoin
BTW. Multi-Sig Concept is NOT new…
1993
Cryptographic Security of ECDSA in Bitcoin
29 Nicolas T. Courtois 2009-2014
How to Un-corrupt Cryptography
Groups and ECC
30
Crypto Challenges:
I always liked this idea.
Claiming (very naive) that this would:
“punish those who by their ignorance, incompetence or because of a hidden agenda, put everybody's security at a great risk.”
[Courtois, May 2006, Quo Vadis Cryptology 4 conference]
Crypto Currencies
31 Nicolas T. Courtois 2009-2014
ECC - Certicom Challenges [1997, revised 2009]
secp256k1NOT INCLUDEDno price if you
break it
Crypto Currencies
32 Nicolas T. Courtois 2009-2014
Timely DenialDan Brown, chair of SEC [Certicom, Entrust, Fujitsu, Visa International…]
``I did not know that BitCoin is using secp256k1.
I am surprised to see anybody use secp256k1 instead of secp256r1'',
September 2013,
https://bitcointalk.org/index.php?topic=289795.80
Groups and ECC
Nicolas T. Courtois, 2006-201433
Comparison:Used/recommended by: secp256k1 secp256r1
Bitcoin, anonymous founder, no one to blame… Y
SEC Certicom Research surprised! Y
TLS, OpenSSL ever used??? Y 98.3% of EC
U.S. ANSI X9.63 for Financial Services Y Y
NSA suite B, NATO military crypto Y
U.S. NIST Y
IPSec Y
OpenPGP Y
Kerberos extension Y
Microsoft implemented it in Vista and Longhorn Y
EMV bank cards XDA [2013] Y
German BSI federal gov. infosec agency, y=2015 Y
French national ANSSI agency beyond 2020 Y
Bitcoin Crypto Bets
34
Wanna Bet?
https://www.betmoose.com/bet/bitcoin-cryptography-broken-in-2015-791
Bitcoin Crypto Bets
35
- Totally Anonymous Bets In BTC!betmoose.com
Crypto Currencies
36 Nicolas T. Courtois 2009-2014
Amount?• Don’t bet a ridiculous amount!
• As long as we don’t have 2000 BTC in this bet, we will simply NOT yet know if bitcoin ECC is broken…
• Don’t expect that code breakers who can make 725,000 $ elsewhere, will even try to break bitcoin Elliptic Curve
• They would rather steal some bitcoins – Possible only if your public key is revealed
=> Tip: use each Bitcoin address only once!
https://www.betmoose.com/bet/bitcoin-cryptography-broken-in-2015-791
Crypto Currencies
37 Nicolas T. Courtois 2009-2014
Anarchy? Dark Side• In Bitcoin many things which are BUGS
are presented as FEATURES:– monetary policy (or the lack of one) – frequent criticism
– problematic cryptography=• anonymous founder syndrome, standardized yet TOTTALLY disjoint
from normal industrial cryptography, NOBUS syndrome (NSA jargon)
– decision mechanisms (the Longest Chain Rule)• no reason why the same mechanism decides which blocks are valid
and which transactions are valid, by far too slow, too unstable, too easy to manipulate
– 51% attacks ARE realistic feasible and … INEXPENSIVE!
– sudden jumps in monetary policy => genetically-programmed self-destruction of many crypto currencies
See: Nicolas Courtois: On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534
Crypto Currencies
38 Nicolas T. Courtois 2009-2014
• the open-source nature of the developer population provides opportunities for frivolous or criminal behavior that can damage the participants in the same way that investors can be misled by promises of get rich quick schemes [...]
• one of the biggest risks that we face as a society in the digital age [...] is the quality of the codethat will be used to run our lives.
Cf. Vivian A. Maese: Divining the Regulatory Future of Illegitimate Cryptocurrencies, In Wall Street Lawyer, Vol. 18 Issue 5, May 2014.
Dangers of Open Source
Crypto Currencies
39 Nicolas T. Courtois 2009-2014
Citation
Bitcoin is:
• Wild West of our time [Anderson-Rosenberg]
Groups and ECC
40
Improve Quality/Security?
Bitcoin Has The Solution!
Future belongs to self-funded open-source communities
can hire programmers, security experts, etc…
avoid code of dubious origin
?
Groups and ECC
41
Crypto Challenges:
I always liked this idea.
Claiming (very naive) that this would:
“punish those who by their ignorance, incompetence or because of a hidden agenda, put everybody's security at a great risk.”
[Courtois, May 2006, Quo Vadis Cryptology 4 conference]
Crypto Currencies
42 Nicolas T. Courtois 2009-2014
ECC - Certicom Challenges [1997, revised 2009]
Groups and ECC
Nicolas T. 43
Koblitz citation:
"Once I heard a speaker from NSA complain about university researchers who are cavalier about proposing untested cryptosystems. He pointed out that in the real world if your cryptography fails, you lose a million dollars or your secret agent gets killed.
In academia, if you write about a cryptosystem and then a few months later find a way to break it, you've got two new papers to add to your résumé!”
Neal Koblitz, Notices of the American Mathematical Society,
September 2007.
Crypto Currencies
44 Nicolas T. Courtois 2009-2014
Official Bitcoin Wikihttps://en.bitcoin.it/wiki/Myths#Bitcoins_are_worthless_because_they.27re_based_
on_unproven_cryptography
“SHA256 and ECDSA which are used in Bitcoin are well-known industry standard algorithms. SHA256 is endorsed and used by the US Government and is standardized (FIPS180-3 Secure Hash Standard).
If you believe that these algorithms are untrustworthy then you should not trust Bitcoin, credit card transactions or any type of electronic bank transfer.”
Bitcoin has a sound basis in well understood cryptography.
Crypto Currencies
45 Nicolas T. Courtois 2009-2014
Official Bitcoin Wikihttps://en.bitcoin.it/wiki/Myths#Bitcoins_are_worthless_because_they.27re_based_
on_unproven_cryptography
“SHA256 and ECDSA which are used in Bitcoin are well-known industry standard algorithms. SHA256 is endorsed and used by the US Government and is standardized (FIPS180-3 Secure Hash Standard).
If you believe that these algorithms are untrustworthy then you should not trust Bitcoin, credit card transactions or any type of electronic bank transfer.”
Bitcoin has a sound basis in well understood cryptography.
Well…actually it has major bug in it.
Major security scandal in the making?
Expect a lawsuit??? for – failing to adopt the crypto/industry best practices,
– for supporting a dodgy cryptography standard,
– not giving users worried about security any choice,
– and lack of careful/pro-active/ preventive security approach etc...
Blame Satoshi
Crypto Currencies
46 Nicolas T. Courtois 2009-2014
Officially Not RecommendedDan Brown, chair of SEC [Certicom, Entrust, Fujitsu, Visa International…]
”I am surprised to see anybody use secp256k1”
September 2013,
https://bitcointalk.org/index.php?topic=289795.80
Security of Bitcoin
47
What If? CataCrypt Conference
Tried to improve the security baseline…
[Jean-Jacques Quisquater] again!
Bitcoin Crypto Bets
48
Wanna Bet?
https://www.betmoose.com/bet/bitcoin-cryptography-broken-in-2015-791
Bitcoin Crypto Bets
49
- Totally Anonymous Bets In BTC!betmoose.com
Crypto Currencies
50 Nicolas T. Courtois 2009-2014
Amount?• Don’t bet a ridiculous amount!
• As long as we don’t have 2000 BTC in this bet, we will simply NOT yet know if bitcoin ECC is broken…
• Don’t expect that code breakers who can make 725,000 $ elsewhere, will even try to break bitcoin Elliptic Curve
• They would rather steal some bitcoins – Possible only if your public key is revealed
=> Tip: use each Bitcoin address only once!
https://www.betmoose.com/bet/bitcoin-cryptography-broken-in-2015-791
Crypto Currencies
51 Nicolas T. Courtois 2009-2014
Solutions• Use each fresh bitcoin account only once!
• Satoshi did sth really brilliant:– Most transactions do NOT reveal the public key.
– full disclosure is unbelievably stupid and simply BAD security engineering and BAD security management.
– Example: • ATMs top-level public keys
Crypto Currencies
52 Nicolas T. Courtois 2009-2014
51%
Crypto Currencies
53 Nicolas T. Courtois 2009-2014
Cancel A Fresh Transaction?
Cancel this?
Crypto Currencies
54 Nicolas T. Courtois 2009-2014
Can Sb. Cancel A Transaction?
Yes if he produces a longer chain with another version of the history.
Very expensive, race against the whole network (the whole planet).
Can be easy or very difficult it depends!
Crypto Currencies
55 Nicolas T. Courtois 2009-2014
Attack:
Extend This Branch To Cancel One Transaction tx36
Goal: generate 4 blocks.
cost=maybe 30 BTCgain=500 BTCEASY and PROFITABLE! The only difficulty is the timing!!!!
tx36
Crypto Currencies
56 Nicolas T. Courtois 2009-2014
This Attack IS FEASIBLE!
Nicolas Courtois:
On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534
Crypto Currencies
57 Nicolas T. Courtois 2009-2014
Easy Or Difficult?
Difficult if:
• All mining devices are privately hold by independent solo miners.
Easy if:
• Many mining devices are rented with a market which allows one instantly to buy a lot of hashing power by paying a small premium over the market price.
WORSE THAN THAT:
• A large mining pool can re-sell ALL the hash power to the attacker, => this CANNOT BE DETECTED by miners,
due to a technicality which we will discuss later (mining with H0, not knowing on which branch/block they mine)
Crypto Currencies
58 Nicolas T. Courtois 2009-2014
51% -Blunders Mistakes Misunderstandings
Crypto Currencies
59 Nicolas T. Courtois 2009-2014
Is it a 51% Attack?
51 % attacks:
• computing power can be temporarily displaced.
• it is NOT a number between 0 and 100%, two different hash powers at different moments.
• almost nobody gets it right ever… including Sathoshi
Crypto Currencies
60 Nicolas T. Courtois 2009-2014
Satoshi About 51%
Amazing level of confusion already in Satoshi writings: in Section 6 of Satoshi paper we read that:
“The incentive[like 25 BTC] may help encourage nodes to stay honest.
If a greedy attacker is able to assemble more CPU power than all the honest nodes,
he would have to choose between using it
• to defraud people by stealing back his payments,
• or using it to generate new coins.
He ought to find it more profitable to play by the rules,
such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.
Claim: this ‘honest’ option is fiction.
WRONG: Attacker does NOT need to be powerful, hack few servers…=> 80%
Crypto Currencies
61 Nicolas T. Courtois 2009-2014
Mistakes Live Forever
The Economist paper, 31 Oct 2015, page 22:
[one of the best papers on bitcoin ever seen, EXCEPT it downplays the 51% threat]:
• “Alice tries to rewrite history […] Short of controlling more than half the computers - known in the jargon as 51% attack – that should not be possible.”
WRONG: Alice can manipulate/cheat/hack miners to work for her [MITM].
• “You cannot predict which miner will solve a puzzle so you CANNOT predict who will get to update the blockchain at any given time, except [….] it has to be one of hard working miners, not some random interloper“.
WRONG: Actually it is ALWAYS is the pool manager who updates the blockchain and DECIDES what is included in a blockchain, Miners are simple sub-workers deprived of their right to vote.
top related